Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror

Comment Re:Privilege separation, anyone? (Score 2, Informative) 261

by FraGGod (#32662298) Attached to: Firefox 3.6.4 Released With Out-of-Process Plugins
Well, I can think of a "nobody" user with home in, say, /tmp/nobody, and flash is running with it's uid and cgroup'ed, so:
  • flash can read any libs or binaries (for these raw graphic ops, I presume) from fs as needed.
  • flash can't access sensitive data in /home/myuser.
  • flash can't write to /home/myuser/.mozilla/firefox/**/some_binary_file (that might get injected into process, run as "myuser").
  • it can write to it's own "home" and access network as it pleases, although it will die along with a browser tab (cgroup gets killed, and flash can't escape it via forks).

I don't know much about what files flash accesses on local fs, but it certainly doesn't need write access anywhere but $HOME on unixes (works fine w/o it as it is), and I doubt it ever accesses ~/.mozilla (or ~/.opera, ~/.chrome, whatever) directly - these are subject to a constant change and shouldn't be necessary for the plugin which has direct interface to a working browser (whatever one it is). What am I missing here?

Comment Privilege separation, anyone? (Score 5, Insightful) 261

by FraGGod (#32661716) Attached to: Firefox 3.6.4 Released With Out-of-Process Plugins

Ok, now that we're able to put flash code in a separate proc, my question is: can we cut it's privileges so another (monthly) "zero-day vulnerability" will finally become just a tale to scare little children?
Strangely enough, with all the concern about flash security, article seem to miss that point.
Open Source

Do Build Environments Give Companies an End Run Around the GPL? 374

Posted by timothy from the technical-compliance dept.
Malvineous writes "I have two devices, from two different companies (who shall remain nameless, but both are very large and well-known) which run Linux-based firmware. The companies release all their source code to comply with the GPL, but neither includes a build environment or firmware utilities with the code. This means that if you want to alter the free software on the device, you can't — there is no way to build a firmware image or install it on the devices in question, effectively rendering the source code useless. I have approached the companies directly and while one of them acknowledges that it is not fully GPL-compliant, due to other license restrictions it cannot make the build environment public, and the company does not have the resources to rewrite it. I have approached the FSF but its limited resources are tied up pursuing more blatant violations (where no code at all is being released.) Meanwhile I am stuck with two devices that only work with Internet Explorer, and although I have the skills to rewrite each web interface, I have no way of getting my code running on the devices themselves. Have these companies found a convenient way to use GPL code, whilst preventing their customers from doing the same?"
Emulation (Games)

First Pandora Console Reaches Customer 271

Posted by Soulskill from the insert-pandora's-unboxing-pun-here dept.
neogramps writes "It's been a long time coming, but the first Pandora consoles are finally rolling off of the production line. (Well, this one actually walked out the door to a customer who lived near the 'factory.') Initial estimates had put production and development at taking two months, but Murphy had other ideas. Banking issues, design problems, problems communicating with the Chinese moulding company, escalating assembly costs, and even a volcano all managed to get in the way, but the small and dedicated team soldiered on, and just over a year and a half later, the wait is coming to an end for the 4,000 pre-orderers."

Slashdot Top Deals

You have junk mail.

Close